What is penetration testing?
by Jazmine West
Healthcare continues to be the most targeted industry for cyberattacks, and that number continues to trend upwards in the midst of the coronavirus pandemic (Health IT Security).
Many healthcare organizations are beginning to take cybersecurity much more seriously. Unfortunately, it still may not be enough.
Another tactic that providers can take to secure their networks is to conduct penetration testing.
Penetration testing (also shortened as pen testing) is a preventative security measure to expose vulnerabilities in computer networks and data by simulating a cyberattack.
A company requests ethical hackers or cybersecurity experts to perform a planned “attack” in order to identify any weak points in its security system. Upon conclusion, a business is armed with useful information to strengthen its defenses against cybercriminals.
Is pen testing critical for healthcare?
Absolutely! According to Health IT Security, protected health information (PHI) is the most targeted type of data by cybercriminals because it often contains valuable data such as bank account information. It is often leveraged in ransomware attacks.
Penetration tests can help you achieve HIPAA compliance by identifying any points where unauthorized parties could access data. In fact, pen testing covers the technical evaluation requirement for HIPAA administrative safeguards.
How are pen tests conducted?
The first step before running a pen test is to establish a goal for the test. Of course, the primary goal is to expose security vulnerabilities, but more specific objectives may exist depending on the organization’s needs (Core Security).
For example, a hospital may want to test if certain databases or data points can be targeted.
Once a goal is established, a tester may be granted either full or limited access to system information. The amount of data a tester is given largely depends on the organization’s goal.
White box testing, also known as internal testing, is when a tester acts as an employee or authorized user to perform a pen test. This supplies the tester with detail and insight into weak points and vulnerabilities. A white box approach can also reveal how employees may intentionally or unintentionally exploit PHI and other sensitive data.
Black box testing (external testing) gives as little information as possible to most closely resemble a real cyberattack. The tester performs the pen test from an outsider’s perspective.
Gray box testing falls somewhere between the white box and black box approaches. This can be useful if an organization wants to measure or control the level of permission users have.
What are the different types of tests?
A variety of pen tests exist to discover weak points with different techniques on various platforms. PurpleSec recognizes 6 types of pen tests:
- Network Services: This test is the most common and identifies vulnerabilities in the network infrastructure (servers, firewalls, routers, etc).
- Web Application: A more complex test, experts evaluate web apps, browsers, and associated software and plugins.
- Client-Side: This test involves client-facing programs and software including email clients, web browsers, and programs such as Microsoft Office or Adobe Photoshop.
- Wireless: Devices that are connected to a common network (phones, laptops, printers, etc) are targeted to examine any connection vulnerabilities.
- Social Engineering: This test highlights any phishing and other fraudulent/trust-based cyberattacks.
- Physical Penetration Testing: Often overlooked, a tester attempts to gain physical entry into a data center such as a server room or file storage.
How often should organizations conduct pen tests?
Redscan recommends testing annually at a minimum, but there are other situations that warrant a test, including:
- Infrastructural changes
- Mergers & acquisitions
- Launching new products or services
- Maintaining/updating a system for compliance
Between tests, it’s still necessary that your organization remains protected. Inbound email security is a critical way to defend against phishing attacks and other malicious emails.
Our Plus and Premium plan levels block all types of phishing emails. This is critical to protect your system from ransomware or malware that can stealthily steal or spy on your organization’s data. Additionally, Paubox Email Suite Premium includes data loss prevention (DLP) to keep employees from sending sensitive data to unauthorized parties (intentionally or otherwise).
Strong email security is necessary to ensure your healthcare organization is not vulnerable to cybercriminals and reduces the need for frequent penetration tests (which can be very expensive.)
Make sure your company and patient data are protected with Paubox.